<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>Django 1.7.7 release notes &mdash; Django 1.7.8.dev20150401230226 documentation</title>
    
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../',
        VERSION:     '1.7.8.dev20150401230226',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <link rel="top" title="Django 1.7.8.dev20150401230226 documentation" href="../index.html" />
    <link rel="up" title="Release notes" href="index.html" />
    <link rel="next" title="Django 1.7.6 release notes" href="1.7.6.html" />
    <link rel="prev" title="Release notes" href="index.html" />



 
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);
</script>


  </head>
  <body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 1.7.8.dev20150401230226 documentation</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="index.html" title="Release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.7.6.html" title="Django 1.7.6 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.7.7">
            
  <div class="section" id="s-django-1-7-7-release-notes">
<span id="django-1-7-7-release-notes"></span><h1>Django 1.7.7 release notes<a class="headerlink" href="#django-1-7-7-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>March 18, 2015</em></p>
<p>Django 1.7.7 fixes several bugs and security issues in 1.7.6.</p>
<div class="section" id="s-denial-of-service-possibility-with-strip-tags">
<span id="denial-of-service-possibility-with-strip-tags"></span><h2>Denial-of-service possibility with <tt class="docutils literal"><span class="pre">strip_tags()</span></tt><a class="headerlink" href="#denial-of-service-possibility-with-strip-tags" title="Permalink to this headline">¶</a></h2>
<p>Last year <a class="reference internal" href="../ref/utils.html#django.utils.html.strip_tags" title="django.utils.html.strip_tags"><tt class="xref py py-func docutils literal"><span class="pre">strip_tags()</span></tt></a>  was changed to work
iteratively. The problem is that the size of the input it&#8217;s processing can
increase on each iteration which results in an infinite loop in
<tt class="docutils literal"><span class="pre">strip_tags()</span></tt>. This issue only affects versions of Python that haven&#8217;t
received  <a class="reference external" href="http://bugs.python.org/issue20288">a bugfix in HTMLParser</a>; namely
Python &lt; 2.7.7 and 3.3.5. Some operating system vendors have also backported
the fix for the Python bug into their packages of earlier versions.</p>
<p>To remedy this issue, <tt class="docutils literal"><span class="pre">strip_tags()</span></tt> will now return the original input if
it detects the length of the string it&#8217;s processing increases. Remember that
absolutely NO guarantee is provided about the results of <tt class="docutils literal"><span class="pre">strip_tags()</span></tt> being
HTML safe. So NEVER mark safe the result of a <tt class="docutils literal"><span class="pre">strip_tags()</span></tt> call without
escaping it first, for example with <a class="reference internal" href="../ref/utils.html#django.utils.html.escape" title="django.utils.html.escape"><tt class="xref py py-func docutils literal"><span class="pre">escape()</span></tt></a>.</p>
</div>
<div class="section" id="s-mitigated-possible-xss-attack-via-user-supplied-redirect-urls">
<span id="mitigated-possible-xss-attack-via-user-supplied-redirect-urls"></span><h2>Mitigated possible XSS attack via user-supplied redirect URLs<a class="headerlink" href="#mitigated-possible-xss-attack-via-user-supplied-redirect-urls" title="Permalink to this headline">¶</a></h2>
<p>Django relies on user input in some cases (e.g.
<a class="reference internal" href="../topics/auth/default.html#django.contrib.auth.views.login" title="django.contrib.auth.views.login"><tt class="xref py py-func docutils literal"><span class="pre">django.contrib.auth.views.login()</span></tt></a> and <a class="reference internal" href="../topics/i18n/index.html"><em>i18n</em></a>)
to redirect the user to an &#8220;on success&#8221; URL. The security checks for these
redirects (namely <tt class="docutils literal"><span class="pre">django.utils.http.is_safe_url()</span></tt>) accepted URLs with
leading control characters and so considered URLs like <tt class="docutils literal"><span class="pre">\x08javascript:...</span></tt>
safe. This issue doesn&#8217;t affect Django currently, since we only put this URL
into the <tt class="docutils literal"><span class="pre">Location</span></tt> response header and browsers seem to ignore JavaScript
there. Browsers we tested also treat URLs prefixed with control characters such
as <tt class="docutils literal"><span class="pre">%08//example.com</span></tt> as relative paths so redirection to an unsafe target
isn&#8217;t a problem either.</p>
<p>However, if a developer relies on <tt class="docutils literal"><span class="pre">is_safe_url()</span></tt> to
provide safe redirect targets and puts such a URL into a link, they could
suffer from an XSS attack as some browsers such as Google Chrome ignore control
characters at the start of a URL in an anchor <tt class="docutils literal"><span class="pre">href</span></tt>.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Fixed renaming of classes in migrations where renaming a subclass would
cause incorrect state to be recorded for objects that referenced the
superclass (<a class="reference external" href="https://code.djangoproject.com/ticket/24354">#24354</a>).</li>
<li>Stopped writing migration files in dry run mode when merging migration
conflicts. When <tt class="docutils literal"><span class="pre">makemigrations</span> <span class="pre">--merge</span></tt> is called with <tt class="docutils literal"><span class="pre">verbosity=3</span></tt> the
migration file is written to <tt class="docutils literal"><span class="pre">stdout</span></tt> (:ticket: <cite>24427</cite>).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.7.7 release notes</a><ul>
<li><a class="reference internal" href="#denial-of-service-possibility-with-strip-tags">Denial-of-service possibility with <tt class="docutils literal"><span class="pre">strip_tags()</span></tt></a></li>
<li><a class="reference internal" href="#mitigated-possible-xss-attack-via-user-supplied-redirect-urls">Mitigated possible XSS attack via user-supplied redirect URLs</a></li>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>

  <h3>Browse</h3>
  <ul>
    
      <li>Prev: <a href="index.html">Release notes</a></li>
    
    
      <li>Next: <a href="1.7.6.html">Django 1.7.6 release notes</a></li>
    
  </ul>
  <h3>You are here:</h3>
  <ul>
      <li>
        <a href="../index.html">Django 1.7.8.dev20150401230226 documentation</a>
        
          <ul><li><a href="index.html">Release notes</a>
        
        <ul><li>Django 1.7.7 release notes</li></ul>
        </li></ul>
      </li>
  </ul>

  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="../_sources/releases/1.7.7.txt"
           rel="nofollow">Show Source</a></li>
  </ul>
<div id="searchbox" style="display: none">
  <h3>Quick search</h3>
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    <p class="searchtip" style="font-size: 90%">
    Enter search terms or a module, class or function name.
    </p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">Apr 02, 2015</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="index.html" title="Release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.7.6.html" title="Django 1.7.6 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>